RESOLVED FIXED286767
StylePropertyMap::append is not properly verifying that we don't append CSSVariableReferenceValue style values 
https://bugs.webkit.org/show_bug.cgi?id=286767
Summary StylePropertyMap::append is not properly verifying that we don't append CSSVa...
Pedro Varangot
Reported 2025-01-30 13:02:03 PST
This can result in crashes when attempting to resolve style later on. Example: frame #0: WebCore`WebCore::convertToLengthSize(WebCore::CSSValue const&, WebCore::CSSToLengthConversionData const&, WebCore::LengthSize&)+0x318 frame #1: WebCore`WebCore::CSSToStyleMap::mapFillSize(WebCore::CSSPropertyID, WebCore::FillLayer&, WebCore::CSSValue const&) const+0x1a8 frame #2: WebCore`WebCore::Style::BuilderFunctions::applyValueBackgroundSize(WebCore::CSSPropertyID, WebCore::Style::BuilderState&, WebCore::CSSValue&)+0x200 frame #3: WebCore`WebCore::Style::BuilderGenerated::applyProperty(WebCore::CSSPropertyID, WebCore::Style::BuilderState&, WebCore::CSSValue&, WebCore::Style::ApplyValueType)+0x7e40 frame #4: WebCore`WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask)+0x3e40 frame #5: WebCore`WebCore::Style::Builder::applyNonHighPriorityProperties()+0xbd0 frame #6: WebCore`WebCore::Style::Resolver::applyMatchedProperties(WebCore::Style::Resolver::State&, WebCore::Style::MatchResult const&)+0x5cc frame #7: WebCore`WebCore::Style::Resolver::styleForElement(WebCore::Element&, WebCore::Style::ResolutionContext const&, WebCore::RuleMatchingBehavior)+0x450 frame #8: WebCore`WebCore::Style::TreeResolver::styleForStyleable(WebCore::Styleable const&, WebCore::Style::TreeResolver::ResolutionType, WebCore::Style::ResolutionContext const&, WebCore::RenderStyle const*)+0xbb8 frame #9: WebCore`WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType)+0x4a8 frame #10: WebCore`WebCore::Style::TreeResolver::resolveComposedTree()+0x1978 frame #11: WebCore`WebCore::Style::TreeResolver::resolve()+0x55c frame #12: WebCore`WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)+0x50c
Attachments
Add attachment proposed patch, testcase, etc.
Pedro Varangot
Comment 1 2025-01-30 13:02:19 PST
<rdar://problem/141031931>
Pedro Varangot
Comment 2 2025-03-17 16:24:03 PDT
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/51410
Pedro Varangot
Comment 3 2025-03-18 14:24:31 PDT
<rdar://problem/147350835>
EWS
Comment 4 2025-03-19 13:01:28 PDT
Committed 292377@main (f2e814363ebf): <https://commits.webkit.org/292377@main> Reviewed commits have been landed. Closing PR #39782 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.